d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f

Analysis

max time kernel
178s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 02:45

Target

d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe
Size

1.6MB
MD5

4264303e77a15cacc09419f51ac6f5d5
SHA1

6aaf5771a57c855d84965793b53c9c730430bff5
SHA256

d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f
SHA512

b3cac8da7b13fddbca76d34b3ed0bb139ff62f0ccc8cab5f2a206adeb0ae3973a83877e226e48cb19a895c6a4f28ab55c390ec89b3d7a7853e8957e1feb4ca9f
SSDEEP

49152:DgkMo5Xy/BWm3gPTNL1IfJebA5rOYiZna:Dgvo5Zm3gx12ebSivZna

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3372	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3372	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp
3372	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp
3372	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp
3372	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 3372	2576	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe	81
PID 2576 wrote to memory of 3372	2576	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe	81
PID 2576 wrote to memory of 3372	2576	d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe	81

C:\Users\Admin\AppData\Local\Temp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe
"C:\Users\Admin\AppData\Local\Temp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\is-73VAF.tmp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-73VAF.tmp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp" /SL5="$D01C6,990866,70144,C:\Users\Admin\AppData\Local\Temp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3372

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-73VAF.tmp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73VAF.tmp\d2d335ab25c019f6d83fc2b1c5719bea22d1b14d0e7a574477fb301c374d8c2f.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/2576-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2576-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3372-135-0x0000000000000000-mapping.dmp

Download